upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-28 04:10:50 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities

Browse source 
The inconsistencies in 'ocsp-update' parameter were only checked when
parsing a crt-list line so if a certificate was used on a bind line
after being used in a crt-list with 'ocsp-update' set to 'on', then no
error would be raised. This patch helps detect such inconsistencies.

This patch can be backported up to branch 2.8.
This commit is contained in:
Remi Tricot-Le Breton 2024-03-25 16:50:24 +01:00 committed by William Lallemand
parent 97c2734f44
commit b1d623949c
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/ssl_sock.c
View file

@ -3842,6 +3842,14 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, int is_default,
if ((ckchs = ckchs_lookup(path))) {
/* we found the ckchs in the tree, we can use it directly */
cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, is_default, &ckch_inst, err);
/* This certificate has an 'ocsp-update' already set in a
* previous crt-list so we must raise an error. */
if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) {
memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err: "", path);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
found++;
} else if (stat(path, &buf) == 0) {
found++;